Application No. 10/550,617 
Attorney Docket No. 743459-23 
Page 2 of 7 

Applicant contends that electronic data is changed using the operation method as seen in 
claims 1-14 and 24-26, and thus satisfies a transformation as defined by the present "Machine- 
or-Transformation" test as set forth under the Federal Circuit Court's decision handed down in 
the case of In re Bilski, 545 F.3d 943. 88 U.S.P.0.2d 1385 (Fed. Or. 2008). 

Furthermore, in the "Response to Appliczint's Arguments" section of the Office Action, 
the Examiner has failed to set forth any clear reasoning why electronic data being changed in the 
claimed method does not satisfy a trzinsformation as set forth in the case of In re Bilski. 

Accordingly, the subject matter of cMms 1-14 £ind 24-26 is believed to be directed to 
statutory subject matter under 35 U.S.C. § 101, and thus it is requested that the rejection be 
withdrawn. 

Claim Rejections - 35 U.S.C. § 103 

Claims 1, 6, 8, 14, 16, 19, 21 and 23-26 stand rejected under 35 U.S.C. § 103(a) as 
allegedly being unpatentable over Heinrich (U.S. Pub. No. 2003/0046128 Al) {Heinrirh, 
hereinafter) in view of Tschiegg et al. (U.S. Pub. No. 2003/0160818 Al) {Tschiegg, hereinafter). 
Claims 2-5, 7, 9-13, 15, 20 and 22 stand rejected under 35 U.S.C. § 103(a) as allegedly being 
unpatentable over Heinrich in view of Tschiegg and in further view of Lovejoy et dl. (U.S. Pub. 
No. 2002/01238416 Al) (Lovejoy, hereinafter). Applicant traverses the rejections for at least 
the reasons set forth below. 

Applicant contends that present independent claims 1 and 16, and the claims dependent 
therefrom, are patently distinguishable over Heinrich, Tschiegg and Lovejoy, since Heinrich, 
Tschiegg and Lovejoy, taken either alone or in combination, fail to disclose, teach or suggest all 
of the features recited in the pending claims. For example, independent claim 1 (emphasis 
added) recites: 

1. A computer-implemented method for assessing risk 
within an organization, comprising: 

defining one or more zones, each of said one or more 
zones comprising an environment; 

identifjdng one or more assets of said organization, each 
of said assets being located in a respective one of said zones; 

conducting a respective impact assessment for each of 
said assets, each assessment comprising assessing the impact 
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of the loss of said respective asset; 

conducting for each of said zones a respective zone risk 
assessment, comprising assessing tiie risk level associated with 
placing a respective asset within said respective corresponding 

zone; 

conducting for each asset a respective asset risk 
assessment, comprising assessing the risk level associated with 
said respective asset independent of the respective zone of said 
respective asset; and 

assessing risk on the basis of at least said impact 
assessment, said zone risk assessments and said asset risk 
assessments. 

Independent claim 16 (emphasis added) recites: 

16. An apparatus for assessing risk within an 
organization, comprising: 

data input means for inputting asset information into a 
register of assets, each of said assets being an asset of said 
organization, each of said assets being located in a respective 
zone; 

data storage lor storing said register of assets, including 
for each of said assets said respective zone; 

means for receiving or storing a respective zone risk 
assessment for each of said zones, said respective zone risk 
assessment comprising an assessment of the risk level associated 
with placing a respective asset within said respective 
corresponding zone; 

means for receiving or storing a respective asset risk 
assessment for each asset, said respective asset risk 
assessment comprising an assessment of the risk level 
associated with said respective asset independent of the 
respective zone of said respective asset; 

means for receiving or storing a respective impact 
assessment for each of said assets, each assessment comprising 
assessing the impact of the loss of said respective asset, and 
for assessing risk on the basis of at least said impact 
assessment, said zone risk assessments and said asset risk 
assessments to thereby form a risk assessment; and 

output means for outputting said risk assessment. 

It is Applicant's contention that neither Heinrich, Tschiegg, nor Lovejoy, taken either 
singly or in any proper combination, anticipate or render obvious at least the above-identified 
features recited in present independent claims 1 and 16. 

The primary Heinrich reference fails to teach or suggest numerous features of the present 
invention, as acknowledged by the Examiner on page 6 of the Office Action, but who is reliant 
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upon Tschiegg for making up for the shortcomings of Heinrich. 

As seen on page 6 of the Office Action, the Examiner alleges that Tschiegg discloses the 
feature of "conducting for each of said zones a respective zone risk assessment, comprising 
(paragraph 0058-0069, regarding the filter function that allows for customized reporting about 
specific risk management segments)." However, upon close review, peiragraphs [0059]-[0069] of 
Tschiegg merely states: 

[0058] In one embodiment of the invention, users may interactively filter data 
from their respective risk management information segments 12. sub. .oval- 
hollow, by selecting one or more risk management filters 40 of graphics 
interface 16. FIG. 1 illustratively shows an array of filters 40(1) . . . 40(K). 
Filters 40 manipulate data of risk management information 12 for display to 
users at computers 14; for example one filter 40(1) may be used to generate 
graphic 34 at computer 14(1). A user of system 10 may save configurations of 
filters 40 so that, for example, only that user can view and utilize the saved 
filter; or so that a filter 40 may be seen and utili/ed by anyone with access to a 
particular information segment 12.sub..oval-hollow.. Moreover, a user may 
define a filter 40 and save the filter with his associated risk management 
information segment 12.sub..oval-hoUow. so as to later use the filter in other 
sessions. Representative filters 40 for use in system 10 may for example exhibit 
the following non-limiting properties: 

[0059] Filters 40 are preferentially available to the most active data fields 

[0060] Filters 40 may operate on multiple data fields 

[0061] Filters 40 support date ranges and user specified field values 

[0062] Filters 40 utihze criteria carried forward to multiple reports 

[0063] Filters 40 are accessible at all times 

[0064] Filters 40 may be changed at any time 

[0065] Filters 40 operate to de-clutter reports with inactive data fields 
[0066] Filters may be saved or deleted 
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[0067] All filters 40 may be applied concurrently or individually 

[0068] Filters may be common (shared and viewable by all) or personal (unique 
to a specific user) 

[0069] By way of a first example, FIG. 2 shows one representative data graphic 
50 generated by and for a user at computer 14(1) and utilizing data from risk 
management information segment 12(2) through interaction with graphics 
interface 16. Graphic 50 shows a fire protection report with a scope of Asia and 
Australia. A filter 40 may be used to filter data of graphic 50. By way of 
example, FIG. 3 shows one interactive filter 52 available to computer 14(1) that 
serves to limit the region to China and also to locate "poor" sprinkler protection 
ratings. Once selected, the graphic data 34' available to the user may be a report 
54, such as illustrated in FIG. 4. 

As seen in the above passage, Tschiegg discloses filtering data from determined respective 
risk management information segments i.e., this data is merely based upon the determined loss 
before and after implementation of a recommendation (e.g., see also, Tschiegg at paragraphs 
[0005] and [0019]). In the context of the present invention, the feature of, at least, "conducting a 
respective impact assessment for each of sdd assets, each assessment comprising assessing the 
impact of the loss of said respective asset (emphasis added)," which measures impact as a total 
loss of asset, is fundamentally different from the teachings in Tschiegg that simply determine loss 
before and after an implementation of recommendation. Accordingly, the teachings of Tschiegg 
are simply not broad enough to cover the scope of the invention recited in, at least, independent 
claims 1 and 16. 

Applicant further contends that the present invention computes loss based on the potential 
worst case consequential impacts. The impact criteria of the present invention are as follows: 1) 
Loss of Opportunity, 2) Loss of Productivity, 3) Loss due to Regulatory and Contractual 
Breaches, 3) Cost of System hivestment, and 4) Loss due to Confidentiality Breaches. Thus, as 
clearly seen in the list of impact criteria, there is no consideration of risk analysis against the 
existing controls in place , as recited in, at least, independent claims 1 and 16. 

Moreover, the model proposed by Tschiegg is comparative in nature, i.e., measuring risk 
assessment of impact of existing controls before and after impact. For example, a service 
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provided by a computer system may lose an organization $100K if there is a power outage (i.e., 
the Maximus loss). However, if the computer system has an uninterruptable power supply (UPS) 
the loss to the organization may be reduced to $50K (i.e., the Tschiegg definition of impact). 
However, with the further recommendation of a power generator the loss may, e.g., be reduced to 
$20K (i.e., the Tschiegg definition of impact). However, the presently claimed invention, 
assesses impact without consideration of existing controls, such as a UPS or a power generator, 
which is fundamentally different and distinct from the teachings of Tschiegg. 

Furthermore, Applicant asserts that Lovejoy fails to make up for the deficiencies with 
respect to Heinrich and Tschiegg. For at least the reasons stated above Heinrich, Tschiegg, and 
Lovejoy, taken either alone or in combination, fail to anticipate or render obvious each and every 
feature recited in present independent claims 1 and 16. Thus, the Examiner has failed to provide 
a prima facie case of obviousness. Accordingly, Applicant respectfully requests the withdrawal 
of the rejection of independent cMms 1 £ind 16 under 35 U.S.C. § 103(a), £ind the £illow£ince of 
these claims. 

CMms 2-15 £ind 17-26 are dlowable at least by virtue of their dependency from one of 
the independent cMms, but zilso because they are distinguishable over the prior art. 

In view of the foregoing, it is submitted that the present application is in condition for 
allowance and a notice to that effect is respectfully requested. If, however, the Examiner deems 
that any issue remains after considering this response, the Examiner is invited to contact the 
undersigned attorney/agent to expedite the prosecution and engage in a joint effort to work out a 
mutually satisfactory solution. 

In discussing the specification, claims, and drawings in this response, it is to be 
understood that Applicant in no way intends to limit the scope of the claims to any exemplary 
embodiments described in the specification and/or shown in the drawings. Rather, Applicant is 
entitled to have the claims interpreted broadly, to the maximum extent permitted by statute, 
regulation, and applicable case law. 

EXCEPT for issue fees payable under 37 C.F.R. § 1.18, the Commissioner is hereby 
authorized by this paper to charge any additional fees during the entire pendency of this 
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application including fees due under 37 C.F.R. §§ 1.16 and 1.17 which may be required, 
including any required extension of time fees, or credit any overpayment to Deposit Account 
No. 19-2380. This paragraph is intended to be a CONSTRUCTIVE PETITION FOR 
EXTENSION OF TIME in accordance with 37 C.F.R. § 1.136(a)(3). 

Should the Examiner believe that a telephone conference would expedite issuance of the 
application, the Examiner is respectfully invited to telephone the undersigned patent agent at 
(202) 585-8316. 



Respectfully submitted, 

NIXON PEABODY, LLP 

/Marc W. Butler. Reg. #50.219/ 
Marc W. Butler 
Registration No. 50,219 
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